Configuring Tomcat to accept DOD CAC card certificates

David Harris picture David Harris · Oct 14, 2010 · Viewed 9.3k times · Source

I’m running an application on a stand-alone tomcat 6 server on a Windows box. I want it to be able to request and receive client certificates from DoD CAC cards.

I have a client machine running IE that set up correctly to pass the certs from a CAC card, I know its correct because when I go to a CAC enabled site IE pops up a window asking me to chose a certificate and in that window I see the certs from my CAC card.

I have tomcat configured to request certs from the user and when I navigate to my site running on tomcat I see the same IE prompt asking me to choose my certificate, however when I’m looking at my site the list of certs is empty. In my server.xml file I’ve configured my connector like follows:

<Connector port="8443" 
           protocol="HTTP/1.1" 
           SSLEnabled="true"
           maxThreads="150" 
           scheme="https" 
           secure="true"
           keystoreFile="<myKeysotre>"
           keystorePass="<myPassword>"
           clientAuth="want" 
           sslProtocol="TLS" />

The place where I think I’m screwing up is in the generation of the key store file. Right now I’ve generated it using the java keytool command something like this:

keytool -genkey -alias -keypass myPassword -keystore myKeystore -storepass myPassword

I’m doing development now and I’m looking for a way to get the client certs from the CAC card to my application but I’m missing something. I’m not very familiar with how this works so I could use some help/guidance.

Thanks

Answer

David Harris picture David Harris · Oct 14, 2010

After a little hair pulling here is what I found out. The reason the IE prompt asking me to choose my certificate was empty was because the the client certs (certs on the CAC card) were not issued by any CAs in the trusted root on my tomcat server.

What I needed to do was add the root CA certs to my tomcat truststore. It took me a while to figure out how to get the certs. What I did was to go to the http://dodpki.c3pki.chamb.disa.mil/rootca.html web site and download the root certificates (the come as .cac files) then imported those file into IE (Tools->Inernet Options->Content->Certificates). Then, again from the IE certificate tool) I exported the root certs as X509 files and created a trust store to contain them:

keytool -storepass somePassword -import -alias DoDClass3RootCA -keystore my.truststore -trustcacerts -file exports\DoDClass3RootCA.cer

Once that store was created I update the Connector element in the server.xml file to include that trust store:

<Connector port="8443" 
           protocol="HTTP/1.1" 
           SSLEnabled="true"
           maxThreads="150" 
           scheme="https" 
           secure="true"
           truststoreFile="my.truststore"
           truststorePass="somePassword"
           … />

After doing that and restarting tomcat the CAC Card certificates showed up for me